NYCPHP Meetup

[Jeff Siegel]

For login purposes, I have people log in through SSL and have their 
passwords encrypted using "crypt." Crypt does a one-way encryption so 
you encrypt their password that they input on the form and compare it to 
what's stored in the database. (Basically no. 2 in your list.)

If someone should somehow gain access to the database or some other 
catastrophe might occur, they'd see something like the following in your 
table's password field: LSoxL6eUJCUYg. (Of course, if someone gained 
access to your database...you've got bigger issues to handle.)

Jeff Siegel

Aaron Fischer wrote:

> Hi all,
> 
> I'm working up a little application that will require password 
> authentication to gain entry into the site.  The login page will query 
> the username/password information that is stored in a MySQL table.  I 
> plan on using sessions to enable the authorized user to travel around 
> the site and also to prevent an unauthorized user from gaining access to 
> the site.
> 
> My main questions revolves around encryption.  The sources that I have 
> been referencing advocate for encrypting the password during the 
> authentication process.  However, I've been frustrated by how briefly 
> this topic is passed over in my books.  The little application that I am 
> working on now only has fairly low level security needs and encryption 
> may be overkill, but I have another project coming down the line where 
> the security needs will be greater, so I might as well get started 
> learning this stuff now!  Like, one question I have is, why encrypt?  
> What am I preventing from happening?
> 
> In general I am interested in what methods of securing an application 
> folks recommend.  I'd like to read up about general theories on 
> protection and types of misuse/attacks as well as learn about specific 
> methods of protection.  I'd also be interested in hearing references for 
> good books that deal with security (shameless plugs are welcome).
> 
> The two methods I have seen recommended so far are:
> 
> 1.  MySQL encryption via "password" function:
> A preexisting script I inherited uses this method where the form 
> submission is encrypted in the SQL query statement.
>     "select * from tablename where name = '$_POST[name] and pass = 
> password('$_POST['password'])";
> So, the password is encrypted using MySQL's password encryption and is 
> compared to the encrypted version stored in the table.  However, when I 
> read the MySQL documentation, I came across these lines:
>     "Note: The PASSWORD() function is used by the authentication system 
> in MySQL Server, you should NOT use it in your own applications. For 
> that purpose, use MD5() or SHA1() instead. Also see RFC-2195 for more 
> information about handling passwords and authentication securely in your 
> application."
> So, it seems that this method is a no-no.
> 
> 2.  Encrypt using php, which can use the available encryption methods 
> which are available on the server operating system.  In the book that 
> recommends using crypt() my issue is that it doesn't explain how it is 
> working or what's going on behind the scenes and I haven't been able to 
> find good documentation online that will help me either.  The crypt() 
> code line in the book is:
>     "if ( (crypt($password, $result[password])) == $result[password]) {  
> // start session
> 
> I'd appreciate any feedback on the afore-mentioned methods, as well as 
> book or online resource references.
> 
> Cheers,
> 
> -Aaron
> 
> 
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>